•  A HIPAA BAA must be in place for a regulated entity to use online tracking technologies to collect IIHI from its website, mobile apps, social media page(s) for health care operations purposes.
  • OCR says all IIHI, including an individual’s IP addresses and geo location, collected by a regulated entity’s website, is protected by HIPAA.
  • If a HIPAA BAA cannot be put in place, or is not proper, a covered entity would need to obtain a signed HIPAA Authorization from each individual before IIHI is “disclosed” to any tech vendor.
  • IIHI that has been impermissibly disclosed to a technology vendor using tracking technologies in connection with a regulated entity’s website, mobile app, social media page will need to be evaluated under the Breach Notification Rule.

Subscribe to HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools to help you stay on top of the newest compliance challenges in 2023! 

On December 1, 2022, OCR issued a guidance Bulletin “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” Although OCR is neutral in its discussion of “tracking technologies,” it was undoubtedly spurred by the Meta Pixel/Facebook exposé fiasco that now has numerous hospitals, health care systems and technology vendors named as defendants in class action lawsuits.  I examine that litigation in another post, so today we will focus on what organizations subject to HIPAA (referred to as “regulated entities”) can do to prepare for a potential HIPAA Compliance Review by OCR – which we have been informed are already taking place – in light of this new Bulletin.

Does Your Organization “Use” Online “Tracking Technology”?

The threshold question to ask and answer is does your organization knowingly (or unwittingly) use or enable online tracking technology?  If you do not immediately know the answer to this question with regard to every single website, patient portal, mobile app, social medial page (e.g., Facebook) etc. that your organization maintains or holds out to the public, you need to complete this assessment pronto.

OCR generally describes online tracking technology as “a script or a code on a website or a mobile app used to gather information about users as they interact with the website or mobile app.” It can include using cookies, web beacons or tracking pixels, session replay script, and other things. Google Analytics and Meta Pixel (for Facebook) are two examples of widely-used tracking technologies. Beyond this, OCR explains how it views HIPAA applies to online tracking technologies used/enabled in three different contexts: user-authenticated webpages; unauthenticated webpages; and mobile apps.

     User-authenticated webpages are ones that require a user to log in before they are even able to access the webpage. Patient portals and telehealth platforms are two examples of user-authenticated webpages. Here, if online tracking technologies are enabled, they are likely to have access to specific PHI. Therefore, regulated entities must ensure they are HIPAA compliant with regard to user-authenticated webpages (e.g., executed HIPAA BAA; Security Rule compliance etc.).

     Unauthenticated webpages are ones that do not require users to log in before they are able to access the webpage. This would include webpages with general information about the regulated entity, like the services they provide. While OCR acknowledges that unauthenticated webpages typically do not include access to individuals’ PHI, OCR also highlights a few exceptions. Examples of when online tracking technologies could have access to PHI in connection with a regulated entity’s unauthenticated webpage include one that:

  • Permits a user to enter information, such as demographic info, scheduling info, registration info etc.;
  • Addresses specific symptoms or health conditions, such as pregnancy or miscarriage;
  • Permits individuals to search for doctors or schedule appointments without entering log-in credentials.

With regard to mobile apps, OCR does note that in order for a regulated entity to be “on the hook” for compliance with HIPAA, it would have to be directly offering such mobile app to individuals.  Mobile apps that are notoffered by or on behalf of” a regulated entity, i.e., ones that individuals use to request and download their own information from a regulated entity, would not be subject to HIPAA.

PHI Now Includes What?!

Perhaps the most troubling part of OCR’s Bulletin is the extremely expansive new view it seems to take with regard to which information falls within the Privacy Rule’s definition of Protected Health Information. After pointing out that regulated entities disclose a variety of information to tracking technology vendors through tracking technologies installed or “enabled” on a regulated entity’s website or mobile app, OCR then concludes:

 “individually identifiable health information (IIHI) that the individual provides when they use regulated entities’ websites or mobile apps . . . might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code. All such IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.” (emphasis is mine)

Wait, what?!  

So, is OCR saying that any person who is surfing the internet and lands on a regulated entity’s webpage and searches for a specific doctor for a specific condition, if their IP address and/or geographic location is collected through online tracking technology, even when it has not been purposefully enabled or requested by the regulated entity, it is still on the regulated entity to ensure that such data is not collected by such vendor — and if it does, this is a violation of HIPAA (i.e., impermissible disclosure of PHI) by the regulated enity?  *yikes*

OCR’s rational for its conclusion is that when a regulated entity “collects” an individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.  However, there are a lot of questions about how this interpretation plays out in practice.

One question I have is if a regulated entity has not authorized or enabled the online tracking technology, and the IP address or geographic location of the browsing user can be obtained outside “the pocket” of the regulated entity’s website (i.e., is “public” information available from the internet), how can this be considered a “disclosure” of PHI by the regulated entity? It shouldn’t. Another question I have is where Medicare, a covered entity health plan, also maintains a website (as well as a FaceBook page) which, presumably, allows user-interactions in a similar manner as other regulated entity websites do and likely also has online tracking technologies enabled, do OCR’s conclusions apply there equally?  Hopefully, as discussion on these issues continues, answers to these and other questions will be clarified.

Is Online Tracking Technology Ever Permissible?

Regulated entities may be somewhat relieved to be reassured that they can collect information through online tracking technologies and use it in compliance with HIPAA if proper safeguards are in place. For example, a covered entity would be permitted to analyze information about how users interact with its website or mobile app so long as there is a HIPAA BAA in place with the technology vendor facilitating that activity on behalf of the covered entity and otherwise abides by the restrictions of the HIPAA BAA on any further use or disclosure of such data collected. Therefore, if you are a regulated entity that has purposefully enabled online tracking technologies, like Google Analytics, so that you can use information collected about website users for your own health care operations purposes, you must have a HIPAA BAA in place with the technology vendor that is performing that data collection for you (the corollary is also true – if you are technology vendor creating, receiving, maintaining, or transmitting individually identifiable health information for a regulated entity performing covered functions (e.g., health care operations) you are a HIPAA-covered business associate and must agree to a HIPAA BAA).

What to Expect from an OCR Inquiry Focused on Assessing HIPAA Compliance with Use of Online Tracking Technology

The word on the street is that even though the Bulletin providing guidance on the use of online tracking technologies was just published, HIPAA compliance investigations by OCR are already underway concerning this topic. Should OCR come knocking on your door, here are several questions you should have answers to and documents you should be prepared to produce:

    1. Identify all third-party data tracking technology vendor(s) or suppliers of web tracking services your organization has contracted to use or not otherwise disabled.
    2. Identify each and every application and platform (e.g., EHR, telehealth platform, web-based patient portal, informational websites, social media websites) used by your organization where third-party data tracking technology is enabled/not disabled.
    3. Identify exactly what data (e.g., including IP address and geo location of the individual, even there is no identifiable health information) is tracked or monitored by third-party data tracking technology and for what purpose.
    4. Determine if any data is transmitted to/collected by the third-party data tracking technology vendor or supplier of web tracking services.
    5. Be prepared to provide copies of all HIPAA BAAs in place with third-party tracking technology vendor(s) or supplier(s) of web tracking services.
    6. Provide documentation demonstrating that a technical and nontechnical evaluation was completed, as is required by the Security Rule, of the risks associated with implementing (or not disabling) third-party data tracking technology, including an assessment of the risks associated with introducing tracking technologies that transmit PHI to the tracking technology vendor(s) or supplier(s) of web tracking services.
    7. If your organization has discovered, as a result of receiving notice from any other individual or entity, due to an internal review/investigation, or other avenue, that your organization’s use of tracking technologies has resulted in an impermissible disclosure of PHI, provide a copy of a completed Breach Assessment, including the date(s) of discovery, dates of the unauthorized disclosure, number of individuals impacted, type of information that was disclosed, probability that the PHI has been or will be compromised, mitigation steps, outcome, Breach Notices ssued etc.
    8. Is a Security Awareness and Training program implemented by your organization for its workforce members, and has it addressed HIPAA issues related to use of online tracking technology?

This is just a small sample of the types of questions that regulated entities could expect to have to answer. If you do not have the answers or cannot produce documentation in response to such questions, you should begin an internal assessment to do so asap, and mitigate any gaps as needed (also asap).

If you need an additional tool to help you complete a more comprehensive assessment of your compliance with HIPAA re: online tracking technologies, and would like ideas on mitigation steps to take, subscribe to our Legal HIE Compliance Library here for access to:

CHECKLIST: “HIPAA Compliance Assessment & Mitigation for Enabled Online Tracking Technologies.”